b'OFFICE OF THE INSPECTOR GENERAL\n\n\n       CONTROLS OVER COPYRIGHTED COMPUTER\n       SOFTWARE AT THE DEFENSE TECHNOLOGY\n             SECURITY ADMINISTRATION\n\n\n\n\n Report Number 92-134              September 9, 1992\n\n\n\n\n           Department of Defense\n\x0cThe following acronyms are used in this report.\n\nDTSA . . . . . . . . . . . . . . . . . . . Defense Technology Security Administration\nIBM . . . . . . . . . . . . . . . . . . . International Business Machines Corporation\n\x0c                         INSPECTOR GENERAL\n                          DEPARTMENT OF DEFENSE\n                            400 ARMY NAVY DRIVE\n                       ARLINGTON, VIRGINIA 22202-2884\n\n\n\n\n                                               September 9, 1992\n\nMEMORANDUM FOR DIRECTOR, DEFENSE TECHNOLOGY SECURITY\n               ADMINISTRATION\n\nSUBJECT:     Audit Report on Controls over Copyrighted\n             Computer Software at the Defense Technology\n             Security Administration (Report No. 92-134)\n\n\n     This final report is provided for your information and use.\nThe report addresses unauthorized use of copyrighted computer\nsoftware on computers within the Defense Technology Security\nAdministration.  The audit was performed as part of our overall\nAudit of Controls Over Copyrighted Computer Software.\n\n     Comments on a draft of this report conformed to the\nrequirements of DoD Directive 7650.3, and there are no unresolved\nissues.  Therefore, no additional comments are required.\n\n     The courtesies extended to the audit staff are appreciated.\nIf you have any questions on this audit, please contact\nMr. Harrell D. Spoons on (703) 692-2846 or Mr. Marvin L. Peek on\n(703)   692-2856.\n\n\n\n                                       WJ~\n                                    Assistant Inspector General\n                                           for Auditing\n\n\ncc:\nUnder Secretary of Defense for Policy\nAssistant Secretary of Defense (Command, Control,\n  Communications, and Intelligence)\n\x0c\x0c                   Office of the Inspector General\n\nAUDIT REPORT NO. 92-134                              September 9, 1992\n    (Project No.   2RF-5004.02)\n\n           CONTROLS OVER COPYRIGHTED COMPUTER SOFTWARE\n        AT THE DEFENSE TECHNOLOGY SECURITY ADMINISTRATION\n\n                          EXECUTIVE SUMMARY\n\nIntroduction.   The Defense Technology Security Administration\n(DTSA), with an annual operating budget of $8.6 million,\nadministers the    DoD Trade Security Program.      This mission\nincludes reviewing and processing export license applications and\nensuring that the security policy for DoD technology           is\nimplemented.  DTSA was included in our ongoing audit of Controls\nover Copyrighted Computer Software because of a DoD Hotline\nallegation that DTSA was illegally duplicating and installing\nsoftware on its computers.\nObjective.  The audit objective was to determine whether DTSA was\nusing copyrighted software programs in accordance with licensing\nagreements. We also evaluated applicable internal controls.\n\nAudit  Results.    Of 133 computers tested, 123 had at least\n1 copyrighted software program installed without documentation to\nshow it had been legally acquired.   Overall, we found 640 copies\nof undocumented, installed software with an estimated retail\nvalue of $72, 000.   Use of unlicensed software denies vendors\ntheir rightful revenues.\n\nInternal Controls.   Although DTSA had issued guidance to control\nand account for computer software, the policies were neither\neffective nor enforced.   The controls we assessed are described\nin Part I of the report, and the finding provides details on the\nweaknesses.\n\nPotential Benefits of Audit. No monetary benefits are associated\nwith the recommendations in this report.    Implementation of the\nrecommendations will ensure that DTSA complies with licensing\nagreements for copyrighted software and will prevent liability to\nDoD for noncompliance with copyright laws. A summary of benefits\nresulting from this audit is in Appendix A.\n\nsummary   of   Recommendations.      We  recommended   removing\nunauthorized  software   programs from  DTSA\' s  computers  and\nestablishing internal controls over the acquisition and use of\ncopyrighted computer software.\n\nManagement Comments.   The Director, Defense Technology Security\nAdministration, concurred with the recommendations, and there are\nno unresolved issues.  The text of his comments is in Part IV of\nthis report.\n\x0c\x0c                         TABLE OF CONTENTS\n\n\n\n\nTRANSMITTAL MEMORANDUM\n\nEXECUTIVE SUMMARY                                            i\n\nPART I - INTRODUCTION                                        1\n\n     Background                                              1\n     Objectives                                              1\n     Scope                                                   1\n     Internal Controls                                       2\n     Prior Audits and Other Reviews                          2\n\nPART II - FINDING AND RECOMMENDATIONS                        3\n\n     Use of Copyrighted Software                             3\n\nPART III - ADDITIONAL INFORMATION                            9\n\n     Appendix A - Summary of Potential Benefits             11\n                  Resulting from Audit\n     Appendix B - Activities Visited or Contacted           13\n     Appendix c - Report Distribution                       15\n\nPART IV - MANAGEMENT COMMENTS                               17\n\n     Director, Defense Technology Security Administration   19\n\n\n\n\nThis report was prepared by the Readiness and Operational Support\nDirectorate, Office of the Assistant Inspector General for\nAuditing, DoD.    Copies of the report can be obtained from the\nAudit    Planning   and    Technical  Support   Directorate   at\n(703) 614-6303.\n\x0c\x0c                      PART I   -   INTRODUCTION\n\n\nBackground\n\nThe Defense Technology Security Administration (DTSA) is under\nthe direction and control of the Under Secretary of Defense for\nPolicy.   The Deputy Under Secretary of Defense {Trade Security\nPolicy) serves as the Director, DTSA.     DoD Directive 5105.51,\n"Defense Technology Security Administration," May 10, 1985,\ncharters DTSA to administer the DoD Technology Security Program\nwith the mission to review the international transfer of defense-\nrelated technology, goods, services, and munitions consistent\nwith U.S. foreign policy and national security objectives.   This\nmission includes reviewing and processing applications for export\nlicenses.    At the time of the audit, DTSA was authorized\n136 employees and had an FY 1992 operation and maintenance budget\nof $8.6 million.\nOn January 28, 1992, an anonymous allegation was forwarded to the\nInspector General,   DoD,   stating that DTSA had copied and\ninstalled commercial software programs in violation of licensing\nagreements and copyright laws.   Also, an article appeared in the\nFebruary 6, 1992, issue of Washington Technology reporting that\nDTSA had "pirated" computer software from various companies.\nU.S.C., title 17, section 106, gives copyright owners exclusive\nrights to reproduce and distribute their material, and section\n504 states that copyright infringers can be held liable for\ndamages to the copyright owner. Defense Federal Acquisition\nRegulation   Supplement,    paragraph    252.227-7013 prohibits\nunauthorized distribution or copying of commercially-developed\nsoftware without written consent from the supplier.\nObjectives\n\nThe objective of the audit was to determine whether DTSA had\ninstalled commercial software programs      in accordance with\nlicensing agreements and copyrights.  We also evaluated policies\nand   procedures   for   the  control   and   accountability  of\nmicrocomputer software in DTSA.\nScope\n\nDTSA had 150      IBM-compatible 1 microcomputers and 38 other\nmicrocomputers.    We examined files installed on 13 3 of DTSA\'s\n\n\n1. IBM is a registered trademark of the International Business\nMachines Corporation.\n\x0c150 IBM-compatible computers to determine which commercial\nsoftware programs were installed.        We physically examined\n22 computers to identify the software installed, and we examined\nsoftware   files   DTSA   personnel  extracted  from   the  other\n111 computers.   We judgmentally selected a sample of 50 software\nprograms purchased by or found installed on DTSA computers    for\ndetailed review.      We examined available computer software\nprocurement and inventory records, dated from October 1988\nthrough February 1992, to determine the number of copies of\nsoftware programs authorized to be installed on DTSA computers.\nWe also contacted software vendors to verify information when\nnecessary.   In addition, we evaluated internal controls over the\ninstallation and operation of software on DTSA\'s computers.\nThis program audit was made from March through April 1992.  The\naudit was made in accordance with auditing standards issued by\nthe Comptroller General of the United States as implemented by\nthe Inspector General, DoD, and accordingly included such tests\nof internal controls as were considered necessary.   Activities\nvisited or contacted are listed in Appendix B.\nInternal controls\n\nWe examined controls over the accountability and installation of\ncomputer software and found that controls were neither effective\nnor enforced.    However, we did not consider these weaknesses\nmaterial as defined by Public Law 97-255, Office of Management\nand   Budget  Circular   A-123,    and DoD   Directive   5010.38.\nImplementation of Recommendation 2. in this report will correct\nthe weaknesses.   Details on the weaknesses are discussed in the\nfinding in Part II of this report.\nPrior Audits and other Reviews\n\nThe Assistant Inspector General for Inspections, DoD, conducted\nan inspection of DTSA during July and August 1991 and issued\nReport No. 92-INS-08, "Defense Technology Security Administration\nInspection Report," on April 17, 1992. Compliance with commercial\nsoftware licensing agreements was not covered in the inspection.\nHowever,   the   overall  evaluation   indicated  that   internal\nmanagement controls and oversight within DTSA were inadequate.\n\n\n\n\n                                 2\n\x0c              PART I I - FINDING AND RECOMMENDATIONS\n\n\nUSE OF COPYRIGHTED SOFTWARE\n\nOf 133 computers tested, 123 had at least 1 copyrighted software\nprogram installed without documentation to show it had been\nlegally acquired.   Overall, we found 640 copies of undocumented\nsoftware installed with an estimated retail value of $72,000.\nThe unauthorized copies were installed because controls over the\nuse of microcomputer software were not effective and because DTSA\nmanagement did not ensure compliance with licensing and copyright\nrestrictions.   Improper use of copyrighted computer software\ncontravenes Federal law and denies vendors their rightful\nrevenues.\n\n                      DISCUSSION OF DETAILS\nBackground\n\nSoftware vendors attempt to control unauthorized use of their\nproducts through licensing agreements that invoke the protection\navailable under copyright statutes.      The specific licensing\nagreement for each software product is explained in documentation\nthat accompanies the system disks that enable the user to install\nand operate the software program on a computer.         Licensing\nagreements for software sold to U.S. Government activities\ntypically restrict the use of the software program to a single\ncomputer.    In some instances, an activity may purchase a\n"site license" or a license to use a software program on a local\narea network of computers.   Such licenses permit an activity to\nuse the covered software program on the number of computers\nspecified in the agreement.\nDTSA Software Management\n\nThe Director, Information Resource Management, is responsible for\nsoftware management and for providing technical support for\nautomated systems within DTSA.   A contractor assisted DTSA with\nthe installation of computer software programs and other aspects\nof software management. Although Information Resource Management\npersonnel are responsible for the installation of computer\nsoftware, it is difficult, if not impossible, to prevent users\nfrom installing personally owned or borrowed software programs on\ntheir assigned computers.\nDTSA\' s Administrative Instruction No.    18,   "Guidelines for\nInstallation and Operation of Software," published in July 1988\n\n\n\n\n                                3\n\x0cand updated on November 20,   1991, establishes policy for the\ncontrol and accountability    of software.     The  instruction\nprovides that:\n     o   No software will be used on DTSA workstations without\napproval from the Director, Information Resource Management.\n     o Only copyrighted software licensed to DTSA may be\ninstalled on DTSA equipment. All use shall be in full compliance\nwith software copyrights.\n     o No entertainment software programs will be used on DTSA\nequipment.\nThe Director, Information Resource Management, stated that his\napproval was generally not requested before software was\ninstalled on computers.    Except for occasional references to\nsoftware   installation in the contractor\'s biweekly status\nreports, records were not maintained by either the contractor or\nDTSA personnel to show what software had been installed on DTSA\ncomputers.\nThe DTSA had inventoried software manuals and installation disks\nduring November 1989 through January 1990, and in June 1990,\nbegan to maintain a log of software received.        However, an\ninventory of software installed on each computer was not\nmaintained, although the inventory is required by the DTSA\nAutomated Information System Security Plan, May 22, 1991.\nSoftware Installed on Computers\n\n     Excessive copies.    For 19 of the 50 software programs\nsampled, documentation was available to support the acquisition\nof at least 1 copy of software found on DTSA computers.\nCollectively, there were 645 copies of the 19 software programs;\nhowever, only 266 copies were properly licensed, while 379 copies\nwere in excess of licensing agreements.    Examples of the use of\nexcess copies follow.\nIn May 1990, the DTSA purchased 75 copies of Word Perfect\nsoftware, costing $11,100, and 74 copies of Word Perfect Office\nsoftware, costing $5,661. However, we found copies of those\nprograms installed in 123 of the 133 computers examined.   At the\ntime of our audit, both products were considered standard\nsoftware for the IBM-compatible computers used by DTSA.       The\nDirector, Information Resource Management, stated that he had\nverbally approved installing Word Perfect and Word Perfect Office\nsoftware during FY 1991 on all IBM-compatible computers before\nsufficient copies were purchased so that DTSA could more\neffectively perform its mission.      He stated he planned to\npurchase additional copies of the software at the beginning of\nFY 1992, when sufficient funding was available but did not\n\n\n\n                                  4\n\x0cdocument that decision.     Documentation showed that the DTSA\nreceived funding authority on December 13, 1991, to purchase\nitems, such as computer software. On February 19, 1992, the DTSA\nordered 76 copies of Word Perfect software for $11,022 and\n75 copies of Word Perfect Office software for $3,126.\nProcurement records showed that two copies of a utility program\nused to back up hard disks had been purchased at $94.50 each. The\naudit showed that copies of the software were installed in\n79 DTSA computers.\nAlthough records showed that 7 copies of a copyrighted data base\nsoftware program had been purchased, the audit showed that the\nprogram was installed on 29 DTSA computers.    We were informed\nthat some of the excess copies were installed because DTSA\npersonnel had received training on the use of the software and\ndemanded to use the software, even though sufficient copies had\nnot been purchased.\n     Questionable   ownership   of   software.      We found   no\ndocumentation to show that DTSA had          purchased 18 of the\n50 software programs in the sample. We found a total of\n261 copies of the 18 programs installed on DTSA computers.   Some\nof the software we found is discussed below.\nSoftware products on DTSA computers were identified as personally\nowned, provided by others, installed by the contractor, or of\nunknown origin. The products included:\n          o a computer graphics program, with     an   approximate\nunit cost of $275, installed on 13 computers;\n          o an edit utility program, with an approximate unit\ncost of $48, installed on 73 computers; and\n          o a word processing program,    with an estimated unit\ncost of $205, installed on 7 computers.\nDTSA purchased 165 adapter cards (PC 2001-EN) with accompanying\nsoftware from TRW, Incorporated, in    three purchases in FY 1988\nthrough FY 1990.    The accompanying software was    installed on\nIBM-compatible computers and was considered part of the standard\nsoftware for the computers.    Contractors and DTSA personnel had\nnumerous problems getting the automated systems to work properly\nusing the version of the software provided with the TRW adapter\ncards.   According to contractor and DTSA progress reports in\nDecember 1990, TRW provided DTSA an updated version of the\ninstalled software.   The updated version was installed on 123 of\nthe 133 computers tested in our audit sample.    A DTSA automated\nsystems specialist, who worked closely with TRW, stated that TRW\nfield engineers told her the updated version was provided at no\ncost and could be used on computers already using the older\n\n\n\n                                5\n\x0cversion.  However, documentation on the verbal agreement was not\nmaintained by DTSA or TRW. TRW\'s standard procedure is to charge\ncustomers about $50 for each upgraded version of the software.\nWe do not fault DTSA personnel for installing the updated version\nof the software without additional payment, if TRW marketing\nrepresentatives stated the charge was waived; however, the\nabsence of documentation precluded verification that payment was\nnot required.\nLoaned Software\n\nDTSA purchased and installed 10 copies of a data management\nsoftware program on two local area networks.   Since DTSA was not\nfully utilizing all 10 copies of the software, DTSA gave a copy\nof the software and a photocopy of the user manual to one of its\ncontractors in August 1991. When the software vendor learned of\nthe loan in the fall of 1991, it telephoned DTSA to protest the\nviolation of the licensing agreement. On February 20, 1992, DTSA\nrequisitioned an additional copy of the software for $1,144.\nCorrective Actions\n\nIn September 1990, DTSA tasked the software support contractor to\ndevelop a Resource Management Data Base System.       One of the\nplanned modules of the system included a software management data\nbase.  On February 26, 1992, the contractor provided DTSA with a\ndraft software inventory module that could provide reports\nshowing software purchased, the number of legal licenses for each\nsoftware program, a list of the software installed on each\ncomputer, and a list of software acquired that had not been\nassigned or installed.   If unauthorized software is removed from\nDTSA computers and the planned software inventory data base\nprogram is implemented, DTSA should have an effective procedure\nto account for and control computer software.       These actions\ncoupled with periodic internal reviews will ensure integrity of\nall information systems.\nConclusion\n\nDTSA had established policies that, if enforced, should have\neliminated unauthorized software from being installed on its\ncomputers; however, DTSA\' s management of copyrighted computer\nsoftware was ineffective.    DTSA management directed or allowed\nthe installation of software programs in violation of software\nlicensing agreements, and documentation for software that may\nhave been licensed was not always maintained. The estimated cost\nof the undocumented software we found on DTSA computers averaged\nonly about $113 per copy; however, copyrighted software at any\ncost must be documented to show it was legally acquired.   Use of\ncopyrighted   software  programs   in   violation  of   licensing\nagreements deprives vendors of their rightful revenues.\n\n\n\n\n                                6\n\x0c    RECOMMENDATIONS, MANAGEMENT COMMENTS, AND AUDIT RESPONSE\nWe recommend that   the   Director,   Defense   Technology       Security\nAdministration:\n      1.  Identify and remove from the computers each software\nprogram for which a licensing agreement has not been purchased.\n     2.   Establish procedures for the      acquisition and use        of\ncopyrighted computer software to:\n          a. Maintain a current inventory            of    the   software\nauthorized to be installed on each computer.\n          b. Periodically   review    the   propriety       of   software\ninstalled on computers.\n          c. Inform employees of software licensing agreements\nand copyright restrictions.\n          d. Provide for disciplinary       action    if    an   employee\nviolates a software licensing agreement.\n\n     Management comments.    The Director, DTSA, concurred with\nthe recommendations   and   stated  that   copyrighted  software\nprograms without adequate documentation had been removed from\ncomputers.   A copy of DTSA\'s revised procedures implementing\nRecommendation 2. was included in the response.\n     Audit response.   We consider management\'s comments to be\nfully responsive to the recommendations.\n\n\n\n\n                                7\n\x0c\x0c                PART III - ADDITIONAL INFORMATION\n\n\n\nAppendix A - Summary of Potential Benefits Resulting from Audit\n\nAppendix B - Activities Visited or Contacted\n\nAppendix C - Report Distribution\n\n\n\n\n                                   9\n\x0c\x0cAPPENDIX A:   SUMMARY OF POTENTIAL BENEFITS RESULTING FROM AUDIT\n\nRecommendation\n  Reference         Description of Benefit       Type of Benefit\n\n      1.            Compliance with              Nonmonetary\n                    Copyright laws. One-\n                    time action to purge\n                    unauthorized software\n                    from computers\n\n      2.            Internal Control.            Nonmonetary\n                    Enhances controls over\n                    computer software and\n                    promotes compliance with\n                    licensing agreements.\n\n\n\n\n                                11\n\x0c\x0cAPPENDIX B:   ACTIVITIES VISITED OR CONTACTED\n\nOffice of the Secretary of Defense\n\nUnder Secretary of Defense for Policy\n  Deputy Under Secretary of Defense (Trade Security\n    Policy)\n  Deputy Under Secretary of Defense (Security Policy)\n  Defense Technology Security Administration\nWashington Headquarters Services\n\nDepartment of the Army\n\nDefense Supply Service - Washington, Administrative Assistant,\n Office of the Secretary of the Army\n\nNon-Government\n\nFederal Systems Division, American Telephone and\n  Telegraph, Incorporated\nDecision Systems Technologies, Incorporated\nDigital Equipment Corporation\nPotomac Systems Engineering, Incorporated\nSystems Engineering and Development Division, TRW, Incorporated\n\n\n\n\n                                13\n\x0c\x0cAPPENDIX C:   REPORT DISTRIBUTION\n\n\nOffice of the Secretary of Defense\n\nUnder Secretary of Defense for Policy\nDefense Technology Security Administration\nAssistant Secretary of Defense (Command, Control,\n  Communications, and Intelligence)\nAssistant Secretary of Defense (Public Affairs)\nComptroller of the Department of Defense\n\nDepartment of the Army\n\nAuditor General, Army Audit Agency\n\nDepartment of the Navy\n\nAuditor General, Naval Audit Service\n\nDepartment of the Air Force\n\nAuditor General, Air Force Audit Agency\n\nOther Defense Activities\n\nDirector, National Security Agency/Central Security Service\nInspector General, Defense Intelligence Agency\nDefense Logistics Studies Information Exchange\n\nNon-DoD Activities\n\nOffice of Management and Budget\nu.s. General Accounting Office\n NSIAD Technical Information Center\n\nChairman and Ranking Minority Member of the Following\n  Congressional Committees and Subcommittees:\n\n  Senate Committee on Appropriations\n  Senate Subcommittee on Defense, Committee on Appropriations\n  Senate Committee on Armed Services\n  Senate Committee on Governmental Affairs\n  Senate Committee on the Judiciary\n  Senate Subcommittee on Patents, Copyrights, and Trademarks,\n    Committee on the Judiciary\n  Senate Select Committee on Intelligence\n  House Committee on Appropriations\n  House Subcommittee on Defense, Committee on Appropriations\n  House Committee on Armed Services\n  House Committee on Government Operations\n  House Subcommittee on Legislation and National Security,\n    Committee on Government Operations\n\n                                15\n\x0cAPPENDIX C:   REPORT DISTRIBUTION (Cont\'d)\n\n\nNon-DoD Activities (Cont\'d)\n\n  House Subcommittee on Government Information, Justice, and\n    Agriculture, Committee on Government Operations\n  House Committee on the Judiciary\n  House Subcommittee on Courts, Intellectual Property, and the\n    Administration of Justice, Committee on the Judiciary\n  House Committee on Science, Space, and Technology\n  House Subcommittee on Science, Research, and Technology,\n    Committee on Science, Space, and Technology\n  House Permanent Select Committee on Intelligence\n  House Subcommittee on Oversight and Evaluation, Permanent\n    Select Committee on Intelligence\n\n\n\n\n                                 16\n\x0c                  PART IV - MANAGEMENT COMMENTS\n\n\nDirector, Defense Technology Security Administration\n\n\n\n\n                               17\n\x0c\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n\n\n\n\n                     OFFICE OF THE UNDER SECRETARY OF DEFENSE\n\n\n\n\n    \xe2\x80\xa2\n                              WASHINGTON, D C   10301\xc2\xb72000\n\n\n\n                                                               NJ3 I A 1992\n\n                                                             In reply refer to:\n                                                             I-31428/92\n         MEMORANDUM FOR DIRECTOR, READINESS AND OPERATIONAL SUPPORT\n                          DIRECTORATE, OFFICE OF THE INSPECTOR GENERAL\n         SUBJECT:   Draft Audit Report on Controls Over Copyrighted\n                    Computer Software at the Defense Technology Security\n                    Administration (Project No. 2RF-S004.02) - INFORMATION\n                    MEMORANDUM\n              We have carefully reviewed the draft report and accept its\n         recommendations. Since your auditors concluded their on-site\n         work, the Defense Technology Security Administration (DTSA) has\n         removed from its computers all copyrighted software programs for\n         which we had inadequate documentation. We have also supplemented\n         DTSA\'s procedures to include specific provisions for maintaining\n         a current inventory of authorized software, confirming periodi-\n         cally the authorized software loadings on each computer and\n         informing employees that failure to comply with DTSA\'s procedures\n         and copyright restrictions will subject them to possible\n         disciplinary action. These supplemental procedures have been\n         included in revised DTSA Administrative Instruction No. 18, a\n         copy of which is attached.\n              Following its creation in 1985, DTSA made a concerted effort\n         to develop modern automated support systems and a computer\n         literate staff that could effectively exploit them. I wish to\n         emphasize that, well before the audit and in the absence of\n         specific DoD guidance, DTSA recognized the need to implement\n         internal procedures for controls over copyrighted computer\n         software and was in the process of implementing them. The draft\n         report acknowledges that DTSA had established policies in July\n         1988 that were intended to prevent the installation of software\n         on its computers unless authorized by appropriate staff. Our\n         ability to enforce these policies admittedly had been less than\n         adequate. As the draft points out, \xe2\x80\xa2it is difficult, if not\n         impossible, to prevent users from installing personally owned or\n         borrowed software programs on their assigned computers.\xe2\x80\xa2\n               Initial manual efforts by DTSA in 1989-1990 to document its\n         software inventory proved to be insufficient. Thus, DTSA tasked\n         its software support contractor in September 1990 to develop a\n         plan to automate inventory procedures to better account for\n         authorized software. While slowed by other high priority\n         projects, the system was mature enough to produce the essential\n         baseline data that enabled your auditors to do their work and, at\n         the .same time, allowed us to identify and remove all inadequately\n         documented software.\n\n\n\n\n                                        19\n\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n(Cont\'d)\n\n\n\n\n               We concur with the audit report\'s conclusion that the\n          actions taken by DTSA \xe2\x80\xa2will ensure the integrity of all\n          information systems.\xe2\x80\xa2 However, we believe that the policing of\n          our current procedure is very labor intensive and, in the long\n          run, not the most cost-effective means of software control. One\n          of the benefits of our local area network is that it will\n          facilitate enforcement of our software controls. In this\n          connection, since well before the audit, we have been exploring\n          the possibility of acquiring a specialized software program that\n          will block the loading of unauthorized software on individual\n          DTSA computers. Subject to funding availability and the\n          procurement regulations, we hope to identify and purchase such a\n          program within a year.\n                The draft report does not cite any evidence of willful\n           violation of the copyright laws. Nor has our own internal review\n           revealed any such evidence.\n                Finally, I wish to acknowledge the professionalism of your\n           audit team. They spent many long hours with our staff learning\n           how DTSA is coping with complex software problems and their\n           constructive interaction led to a sound set of recommendations.\n\n\n\n                                  William N. Rudman\n                                Deputy Under Secretary\n                                Trade Security Policy\n           Attachment\n           As stated\n\n\n\n\n                                       20\n\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n(Cant 1 d)\n\n\n\n\n                                OFFICE OF THE UNOER SECRETARY OF DEFENSE\n\n                                         WASHINGTON. 0   C   20301\xc2\xb72000\n\n\n\n                                                                           1Ul I 4 1992\n         POLICY\n\n                  ADMINISTRATIVE INSTRUCTION NO. 18\n                  SUBJECT:     Installation and Operation of Software on DTSA\'s\n                               Defense Export License Tracking and Analysi& (DELTA)\n                               Workstations\n                  Reference:     (a)   DODD 5500.7, "Standards of Conduct"\n                                 (b)   Federal Information Resource Management\n                                       Regulations (FIRMR)\n                                 (c)   DTSA Automated Information Systems Security Plan\n                  A. PUBPOSE. To establish procedures in accordance with the\n                  references (a), (b), and (c) to control software which will be\n                  used as standard, support tools and development packages for DTSA\n                  and to promulgate security procedures to insure the integrity of\n                  information within the DELTA information systems environment.\n                  B. APPLICABILITY. This instruction applies to all employees of\n                  the Defense Technology Security Administration (DTSA) to include\n                  contractors and consultants who are authorized access to the DTSA\n                  microcomputer workstations.\n                  c.  POLICY. It is the policy of DTSA to insure the integrity of\n                  the classified and unclassified information systems against\n                  compromise and/or willful or accidental destruction of\n                  information.\n                  D. RESPONSIBILITIES. The Director of the Inforaation Resource\n                  Management (IRM) staff will review all software prior to authori-\n                  zation for use on DTSA workstations to insure the procurement/\n                  licensing of the software is properly documented and that only\n                  licensed commercial or tested public domain software is used on\n                  DTSA systems. The IRM Director will also ensure that all DTSA\n                  users with access to the Secret DTSA LAN are advised of the\n                  procedures as specified in the current Automated Information\n                  System Security Plan (AISSP) approved by OSO Physical Security.\n                   (Note: The AISSP is a separate reference document and is not\n                  attached to this AI) ,\n                  E. PRQCEDUBES. The following procedures will be used for\n                                 .\n                  installing and operating software on DTSA Delta workstations \xe2\x80\xa2\n                       1. No software will be used on or copied onto a DTSA\n                  workstation or Server without written approval from the IRM\n                  Director or authorized IRM representative.\n                       2. Copyrighted software licensed to DTSA and installed on\n                  DTSA equipment shall be installed and used in full compliance\n                  with the software copyright.\n\n\n\n\n                                                    21\n\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n(Cont\'d)\n\n\n\n\n              3. Public domain software or other software which has been\n         tested and accepted by the IRM staff, may be used when this\n         software proves to provide added support to the DTSA mission.\n               4. DTSA equipment and software shall be used only for\n         official Government business in accordance with DoD Directive\n         5500.7, subject: Standards of Conduct, page 13,D.3,g as follows:\n         \xe2\x80\xa2 .... DoD personnel shall not use, directly or indirectly, or\n         allow the use of, any Government property, including property\n         leased to the Government, for other than official purposes.\xe2\x80\xa2\n              5. Software loaded onto a classified workstation will not\n         be removed until all security requirements and procedures\n         delineated in the AISSP governing the removal of same have been\n         met. The DTSA Security Manager has authority to inspect the\n         workstations of all DELTA users.\n              6. All DTSA users will access the approved DTSA software\n         applications through the standard DTSA menu unless a written\n         waiver has been granted by the IRM Director.\n              7. The IRM staff will provide three catagories of support\n         for DTSA approved software:\n                  a. Fullv Supported: IRM will maintain institutional\n         expertise and skills in this software. New versions will be\n         evaluated and purchased as funding becomes available. Users\n         should expect to receive either in-house or commercial training.\n         Examples of this software are WordPerfect 5.1 and WordPerfect\n         Office.\n                  b. Supported to Level of Need: IRM will support this\n         software to the level necessary to support a unique application\n         or requirement. Software of this kind will be issued to\n         individual employees or directorates who maintain their own\n         knowledge base in detailed operation and maintenance. This\n         software will be updated by the IRM staff only when the version\n         change is necessary to the effective operation of the software\n         and/or proves substantially cost effective. Training will be\n         provided when necessary through approved government or commercial\n         courses. Where IRM support is requested, it will be provided on\n         an as available basis and only vhen in house expertise exists.\n         Examples of this software are Zyindex and Lotus 1-2-3.\n                  c. Not Directly Supported: This software is provided\n         for use \xe2\x80\xa2as i~.\xc2\xb7 No warranty other than a best effort IRH\n         evaluation that the software is safe to use and useful for the\n         express purpose stated will be given. No training or technical\n         support will be provided other than that which accompanies the\n         software package. This software will be updated only when it is\n         absolutely necessary or when such updates are freely available to\n         the public. An example of this software is the \xe2\x80\xa2List\xe2\x80\xa2 software.\n\n\n\n\n                                        22\n\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n(Cont\'d)\n\n\n\n\n        F. Supplemental Control Procedures. The following procedures\n        will be implemented (and monitored) by the IRM staff:\n             1. The IRM staff will maintain software license numbers\n        and/or agreements and related purchase documentation for as long\n        as the software is used at DTSA. Licenses for software no longer\n        in use will be transferred in accordance with applicable DoD or\n        FIRMR directives and the software will be deleted from DTSA\n        systems.\n             2. Each Director within DTSA will be provided a listing of\n        software and hardware for each workstation in his/her Directo-\n        rate. The IRM staff and each DTSA workstation user will be\n        required to verify the listing of the hardware and software\n        assigned to the users workstation on a semi-annual basis by\n        signing the \xe2\x80\xa2AOP Equipment/Software Assignment Form\xe2\x80\xa2 (see\n        attachment).\n              3. The IRM staff will conduct random checks of workstations\n         in each Directorate and the Director will be notified in writing\n         should any unauthorized software be detected. Any workstation\n         with unauthorized software cannot be used until a virus scan has\n         been completed by the IRM staff and the unauthorized software is\n         removed.\n              4. It is the responsibility of the workstation user to\n         promptly notify the IRM staff of any suspected unauthorized\n         changes to the installed software on his/her assigned\n         workstation.\n              5. DTSA employees who violate these procedures will be\n         subject to disciplinary action.\n         G. EFFECTIVE DATE. This instruction is effective immediately.\n\n\n                                   ~~~\n                                     H. p . Ady II I\n                                               I\n\n\n                             Director, Resource Management\n                      Defense Technology Security Administration\n\n         Attachment\n         As stated\n\n\n\n\n                                          23\n\x0cDIRECTOR, DEFENSE TECHNOLOGY SECURITY ADMINISTRATION COMMENTS\n(Cont\'d)\n\n\n\n                        DTSA ADP EQUIPMENT/SOFTWARE ASSIGNMENT FORM\n           User Name:\n           Directorate:\n           Date:\n\n           The ADP equipment/software listed below and in the attachment has\n           been assigned to you. Please verify the information is accurate\n           and report any discrepancies to IRM/DPI.\n\n\n\n           ADP Equipment\n                   See Attachment 1.\n\n\n           ADP Software\n                   See Attachment 2.\n\n\n\n           I have verified that the above information is accurate. I\n           understand that no change in the foregoing assigned\n           equipment/software may be made unless authorized in writing by a\n           representative of the Information Resource Management staff of\n           the DTSA Resource Management Directorate. I understand that no\n           software may be copied without such authorization. I understand\n           that a violation of these requirements is subject to disciplinary\n           action.\n\n\n\n           Signature (IRM Representative)          Signature (User)\n\n\n\n           Date                                    Date\n\n\n           Attachment(s)\n           As stated\n\n\n\n\n                                              24\n\x0cAUDIT TEAM MEMBERS\n\nWilliam F. Thomas, Director, Readiness and Operational\n  Support Directorate\nHarrell D. Spoons, Program Director\nMarvin L. Peek, Project Manager\nJohn Van Horn, Team Leader\nLisa Earp, Auditor\nRhonda Carter, Auditor\nNancy Cipolla, Editor\nPaula Stark, Secretary\n\x0c'